GOV-05: Maintain Group Naming Conventions

Overview

Consistent naming conventions improve governance, make groups easier to find, and indicate their purpose at a glance. Random or inconsistent group names suggest poor organizational hygiene and make administration harder.

This control assesses whether your Microsoft Entra ID groups follow a consistent, detectable naming pattern. TrueConfig checks that at least 70% of groups use a recognizable convention such as a standard prefix (e.g., PREFIX-Name or PREFIX_Name) or a consistent casing style (e.g., CamelCase). Groups that do not match any detectable pattern lower the score.

The expected state for this control is:

  • Groups follow a consistent naming convention pattern.
  • At least 70% of groups use a detectable pattern (e.g., PREFIX-Name, PREFIX_Name, CamelCase).
  • Naming patterns improve group organization and discoverability.

This is an advisory, manual-only control. TrueConfig detects adherence; renaming non-compliant groups must be done by an administrator. No license beyond any Entra ID tier is required to assess naming adherence.

Prerequisites

Required Roles

  • Global Administrator - Full configuration access
  • Groups Administrator - Can rename and manage groups

Required Licenses

  • None -- assessing and correcting group naming requires no additional license beyond any Entra ID tier. Note: configuring an automated Entra ID group naming policy (an optional enforcement tool described in Step 2) requires Microsoft Entra ID P1.

Time Estimate

TaskDuration
Audit current group names30-60 minutes
Define naming convention1-2 hours
Rename non-compliant groupsVaries by volume
Configure optional naming policy30 minutes
Initial Setup Total2-4 hours plus remediation

Step-by-Step Instructions

Step 1: Decide on a Group Naming Convention

Before remediating non-compliant groups, document a clear standard. Common patterns that TrueConfig can detect include:

Group TypePrefixFormatExample
Security GroupsSEC-SEC-[Dept]-[Function]SEC-Finance-ReadOnly
Distribution ListsDL-DL-[Dept or Team]DL-Marketing
Microsoft 365 GroupsM365-M365-[Project/Team]M365-ProjectAlpha
Dynamic GroupsDYN-DYN-[Criteria]DYN-AllEmployees
Role GroupsROLE-ROLE-[RoleName]ROLE-HelpDeskAgents

Choose one consistent delimiter (hyphen or underscore) and apply it uniformly. Document exceptions (e.g., legacy groups that cannot be renamed) to avoid repeated audit findings.

Step 2: Audit Current Group Compliance

Run the following script to identify groups that do not match your chosen patterns:

Connect-MgGraph -Scopes "Group.Read.All"

# Define the naming patterns your organization uses
$validPatterns = @(
    "^SEC-",
    "^DL-",
    "^M365-",
    "^DYN-",
    "^ROLE-"
)

# Get all groups
$groups = Get-MgGroup -All -Property DisplayName, Id, GroupTypes, CreatedDateTime

# Identify non-compliant groups
$nonCompliant = $groups | Where-Object {
    $name = $_.DisplayName
    $isCompliant = $false
    foreach ($pattern in $validPatterns) {
        if ($name -match $pattern) {
            $isCompliant = $true
            break
        }
    }
    -not $isCompliant
}

$total = $groups.Count
$compliant = $total - $nonCompliant.Count
$pct = if ($total -gt 0) { [math]::Round(($compliant / $total) * 100, 1) } else { 0 }

Write-Host "Total groups: $total"
Write-Host "Compliant groups: $compliant ($pct%)"
Write-Host "Non-compliant groups: $($nonCompliant.Count)"

# Export for remediation
$nonCompliant | Select-Object DisplayName, Id, GroupTypes, CreatedDateTime |
    Export-Csv "non-compliant-groups.csv" -NoTypeInformation

The TrueConfig threshold is 70%. If the compliance percentage is below 70%, this control will be flagged.

Step 3: Rename Non-Compliant Groups

For each group in the export, rename it to follow your convention:

# Rename a Microsoft 365 group or security group
Update-MgGroup -GroupId "<GroupId>" -DisplayName "SEC-Finance-ReadOnly"

Notes:

  • Microsoft Teams names are tied to their underlying Microsoft 365 group. Renaming the group also renames the Team, which notifies members.
  • Some legacy groups or system-created groups cannot be renamed. Document these as exceptions.
  • Distribute the remediation across a change window for large group inventories to avoid notification fatigue.

Step 4: Configure the Entra ID Group Naming Policy (Optional, Requires P1)

If your organization holds Microsoft Entra ID P1 licenses, you can configure a naming policy to enforce prefixes and block reserved words on new group creation. This is an optional enforcement mechanism; it does not affect the detection threshold for this control.

  1. Navigate to Microsoft Entra admin center: https://entra.microsoft.com
  2. Go to Identity > Groups > All groups
  3. Click Naming policy in the left navigation.

Configure Prefixes and Suffixes

  1. Under Group naming policy, click Add prefix or Add suffix.
  2. Choose String for a fixed prefix (e.g., "SEC-") or Attribute for a dynamic value.
  3. Click Save.

Configure Blocked Words

  1. Under Blocked words, download the template, add reserved words (e.g., admin, root, test), and upload the file.
  2. Click Save.

Note: Global Administrators are exempt from naming policies by default. Test with a non-admin account to verify enforcement.

Step 5: Restrict Group Creation to Reduce Future Non-Compliance

Limiting who can create groups reduces the rate at which non-compliant names are introduced:

  1. Navigate to Identity > Groups > General settings.
  2. Under Self-service group management, set Restrict group creation to a specific group to Yes.
  3. Select a security group containing approved group creators (typically IT staff or department admins).
Connect-MgGraph -Scopes "Group.ReadWrite.All"

$groupParams = @{
    DisplayName    = "SEC-Allowed-Group-Creators"
    Description    = "Members can create Microsoft 365 groups"
    MailEnabled    = $false
    SecurityEnabled = $true
    MailNickname   = "AllowedGroupCreators"
}
New-MgGroup @groupParams

Verification Checklist

After addressing group naming:

  • Naming convention is documented and shared with administrators.
  • At least 70% of groups follow the documented pattern (run the audit script to confirm).
  • Non-compliant groups have been renamed or documented as approved exceptions.
  • Optional: Entra ID group naming policy is configured to enforce prefixes on new groups (P1 required).
  • Group creation is restricted to approved creators to prevent future drift.

Troubleshooting

Issue: Naming policy does not apply to group I just created

Cause: The creating user may be a Global Administrator, who is exempt by default.

Solution:

  1. Verify the policy is saved in Entra ID.
  2. Test with a non-admin user account.
  3. Wait up to 24 hours for policy propagation.

Issue: Compliance percentage is below 70% but most non-compliant groups are system-created

Cause: Microsoft creates some internal groups (e.g., "All Users", conference room groups) that do not follow custom naming patterns.

Solution:

  1. Export the non-compliant list and filter out system-managed groups (look for groups with no owner or created by Microsoft).
  2. Document these as approved exceptions in your naming convention policy.
  3. Focus remediation on administrator-created groups.

Issue: Renaming a Team caused confusion for members

Cause: Microsoft Teams notifies members when the underlying Microsoft 365 group is renamed.

Solution:

  1. Communicate renames in advance to affected team owners.
  2. Schedule renames during low-activity windows.
  3. Rename in batches with adequate notice periods.

Issue: Blocked word still appears in new group names

Cause: The blocked words file may not have uploaded correctly or contains encoding issues.

Solution:

  1. Download the current blocked words file and verify your entries are present.
  2. Check for encoding issues (use UTF-8).
  3. Re-upload the file and save the policy.

Related Controls

  • GOV-01: Review Stale User Accounts (service account identification through naming)
  • GOV-07: Admin account separation (admin account naming)
  • PA-04: Require PIM for All Privileged Roles

Revision History

DateVersionAuthorChanges
2025-01-071.0TrueConfigInitial release